Thoughts from the EPS Windows Server Performance Team
Useful Microsoft Blogs
One of the more common questions IT Admins and Managers ask us when they call in is "How do we prevent IE7 from installing on our client machines?" Although it seems like a fairly straightforward question there are several scenarios to consider:
Scenario 1: If a user gets the update from Windows Update through an Automatic Download, they must have Local Administrator rights to approve the install. Many environments without centralized patch management allow Windows Update to automatically update their client machines. If the install is not approved by a user with Administrative rights, IE7 does not install.
Scenario 2: For environments with centralized client management, you can use the IE Blocker Toolkit to set a Policy on the client machines. This is targeted for environments without a central patch management system such as WSUS or SMS. However, the caveat here is that the Blocker Toolkit does not prevent users with Local Admin rights from downloading IE7 manually and installing it either via the Microsoft site or from a branded version (such as an IE7 package offered by their ISP). The Registry entry is as follows:
Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0Name: DoNotAllowIE70Type: REG_DWORD Value: 1 (this blocks the installation. Setting the value to 0 unblocks the installation)
Scenario 3: For organizations with WSUS etc, their challenge is preventing users with Administrative rights from installing IE7 manually. This can be achieved most effectively via a Software Restriction Hash Policy. The administrator creating the Group Policy will need to download each of the installer packages for the versions he wants to block and create individual Hash Rules (see KB Article 324036). You should also review the following Technet Article: Using Software Restrictions to Protect Against Unauthorized Software.
The names of the executables for each version of IE7 that you can download from Microsoft:
Even if the actual file name is changed after download, the hash value of the file is used to create the block.
Creating the Hash Rule
Open GPEdit.MSC, browse to Computer Configuration --> Windows Settings --> Security Settings --> Software Restriction Policies --> Additional Rules
Right Click and Select New Hash Rule …
Click Browse to browse to the file you want to block. The information about the file is automatically populated.
Set the Security Level to Disallowed to prevent the file from installing and click OK.
NOTE: If you are concerned about branded versions of IE7 (such as an ISP provided version) being installed, you need to take the Hashing step to the next level. Extract the IESetup.EXE out of the branded package and hash each version. That way the actual installer is blocked.
- CC Hameed
There have been several requests for good IE resources - especially resources pertaining to Internet
i have been locked out of my computer and do not know the administrator password. this computer is used by myself only and i don't know how this happened
please advise me as to the simpist method for canceling this block...i don't have the faintest how this occured
If you can email me at email@example.com
I am wondering if this hash rule will prevent WSUS from installing IE7 to computers. The logic is i want one simple computer group and to apply all updates, but have a separate GPO with this software restriction to block IE7 for a few client machines that need a web app to run under IE6